Kerberos Version 5, Release 1.18
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
Copyright (C) 1985-2020 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
Documentation
-------------
Unified documentation for Kerberos V5 is available in both HTML and
PDF formats. The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.
Additionally, you may find copies of the HTML format documentation
online at
https://web.mit.edu/kerberos/krb5-latest/doc/
for the most recent supported release, or at
https://web.mit.edu/kerberos/krb5-devel/doc/
for the release under development.
More information about Kerberos may be found at
https://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site
https://kerberos.org/
Building and Installing Kerberos 5
----------------------------------
Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.
The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.
You may view bug reports by visiting
https://krbdev.mit.edu/rt/
and using the "Guest Login" button. Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.
DES no longer supported
-----------------------
Beginning with the krb5-1.18 release, single-DES encryption types are
no longer supported.
Major changes in 1.18.3 (2020-11-17)
------------------------------------
This is a bug fix release.
* Fix a denial of service vulnerability when decoding Kerberos
protocol messages.
* Fix a locking issue with the LMDB KDB module which could cause KDC
and kadmind processes to lose access to the database.
* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
and unloaded while libkrb5support remains loaded.
krb5-1.18.3 changes by ticket ID
--------------------------------
7476 updated manual page for kvno
8614 Assertion failure when repeatedly loading libgssapi_krb5
8882 kdb5_util load ignores password expiration with LDAP KDB module
8918 KDC and kadmind fork with DB open, breaking LMDB KDB module
8926 Allow gss_unwrap_iov() of unpadded RC4 tokens
8933 Fix input length checking in SPNEGO DER decoding
8936 Set lockdown attribute when creating LDAP KDB
8938 Leash crashes on failure to auto-renew tickets
8939 Suppress Leash error popup on MSLSA renew failure
8959 Add recursion limit for ASN.1 indefinite lengths
8960 Fix compatibility with upcoming autoconf 2.70
Major changes in 1.18.2 (2020-05-21)
------------------------------------
This is a bug fix release.
* Fix a SPNEGO regression where an acceptor using the default
credential would improperly filter mechanisms, causing a negotiation
failure.
* Fix a bug where the KDC would fail to issue tickets if the local
krbtgt principal's first key has a single-DES enctype.
* Add stub functions to allow old versions of OpenSSL libcrypto to
link against libkrb5.
* Fix a NegoEx bug where the client name and delegated credential
might not be reported.
krb5-1.18.2 changes by ticket ID
--------------------------------
8898 Fix overzealous SPNEGO src_name/deleg_cred release
8905 Add stubs for some removed replay cache functions
8906 KDC can select local TGT key of unsupported enctype
8908 Fix SPNEGO acceptor mech filtering
Major changes in 1.18.1 (2020-04-13)
------------------------------------
This is a bug fix release.
* Fix a crash when qualifying short hostnames when the system has no
primary DNS domain.
* Fix a regression when an application imports "service@" as a GSS
host-based name for its acceptor credential handle.
* Fix KDC enforcement of auth indicators when they are modified by the
KDB module.
* Fix removal of require_auth string attributes when the LDAP KDB
module is used.
* Fix a compile error when building with musl libc on Linux.
* Fix a compile error when building with gcc 4.x.
* Change the KDC constrained delegation precedence order for
consistency with Windows KDCs.
krb5-1.18.1 changes by ticket ID
--------------------------------
8876 Fix AS-REQ checking of KDB-modified indicators
8877 Cannot remove require_auth attribute with LDAP KDB module
8880 Fix Linux build error with musl libc
8881 Segfault in k5_primary_domain
8884 Change KDC constrained-delegation precedence order
8886 Document client keytab usage
8888 compile failure on red hat 6
8891 Codespell report for "krb5" (on fossies.org)
8894 Correct formatting of trace log microseconds
8895 ksu does not honor KRB5CCNAME
8896 Fix typo in SPAKE modprinc example
Major changes in 1.18 (2019-02-12)
----------------------------------
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2" by
default.
* setuid programs will automatically ignore environment variables that
normally affect krb5 API functions, even if the caller does not use
krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
* Honor the transited-policy-checked ticket flag on application
servers, eliminating the requirement to configure capaths on
servers in some scenarios.
User experience:
* Add support for "dns_canonicalize_hostname=fallback""`, causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when
DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf
relation to override this suffix or disable expansion.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
support can always be tested.
krb5-1.18 changes by ticket ID
------------------------------
5891 kdb_ldap should treat entries with "nsAccountLock: true" as locked
7135 gssapi mechanism glue dlcloses objects potentially after they are already unloaded
7765 Some ccache functions not exported
7871 KDC should not fail requests due to forwardable/proxiable option
8349 use __APPLE_USE_RFC_3542 to get IPV6_PKTINFO on Mac OS X
8761 ksu doesn't allow acquisition of non-forwardable tickets
8764 get_creds can add redundant cache entry for referral ticket
8765 Add dns_canonicalize_hostname=fallback support
8773 Mark deprecated enctypes when used
8775 Process SPNEGO error tokens through mech
8777 S4U2Self with X.509 certificate bugs
8778 Add new kvno protocol transition options
8780 Expand S4U2Self exception in KDC lineage check
8781 Add KDC support for X.509 S4U2Self requests
8784 Use better name type for PKINIT KDC certs
8785 Use memory replay cache for DO_TIME auth contexts
8786 Hash-based replay cache implementation
8788 Rename configure.in to configure.ac
8791 Add option to build without libkeyutils
8792 Implement krb5_cc_remove_cred for remaining types
8793 Remove srvtab support
8794 Remove kadmin RPC support for setting v4 key
8795 configure: chech for libncursesw, if libncurses is not found
8798 Remove ovsec_adm_export dump format support
8799 Check more errors in OpenSSL crypto backend
8800 Add secure_getenv() support
8804 Remove checksum type profile variables
8805 Modernize example enctypes in documentation
8806 kdb5_util errors on command arguments matching command names
8807 Set a more modern default ksu CMD_PATH
8808 Remove single-DES support
8811 In klist, display ticket server if different
8812 Remove support for no-flags SAM-2 preauth
8815 Verify PAC client name independently of name-type
8816 kproplog cannot display LOCKDOWN_KEYS attribute
8817 Remove PKINIT draft 9 support
8819 gss_set_allowable_enctypes() fails if any enctypes aren't recognized
8823 Allow the KDB to see and modify auth indicators
8827 Change definition of KRB5_KDB_FLAG_CROSS_REALM
8828 Add API to get client account name from PAC
8829 Fix authdata signatures for non-TGT AS-REQs
8833 Add environment variable for GSS mech config
8842 Record start time of AS requests earlier in KDC
8843 Allow client canonicalization in non-krbtgt AS-REP
8844 SPNEGO should filter mechs on acceptor with gss_acquire_cred()
8845 SPNEGO init/accept output parameter bugs
8847 Add enforce_ok_as_delegate setting
8849 Install gssapi/gssapi_alloc.h properly
8851 NegoEx
8855 Qualify short hostnames when not using DNS
8856 segfault in krb5-1.17.1/src/lib/krb5/krb/authdata.c
8857 Don't warn in kadmin when no policy is specified
8858 Do not always canonicalize enterprise principals
8859 Remove KRB5_KDB_FLAG_ALIAS_OK
8860 Allow kprop over NATs
8861 Fix LDAP policy enforcement of pw_expiration
8864 Fix error handling in gssint_mechglue_init()
8865 Check cross-realm TGT name for RBCD requests
8866 Fix S4U client authdata handling
8867 Fix KDC crash in handle_signticket
8868 Allow cross-realm RBCD with PAC and other authdata
8869 Apply permitted_enctypes to KDC request enctypes
8870 Honor transited-policy-checked flag in servers
8872 Put KDB authdata first
8873 Don't assume OpenSSL failures are memory errors
8874 Always use S4U2Proxy second ticket parsed authdata
Acknowledgements
----------------
Past Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
Centrify Corporation
Columbia University
Cornell University
The Department of Defense of the United States of America (DoD)
Fidelity Investments
Google
Iowa State University
MIT
Michigan State University
Microsoft
MITRE Corporation
Morgan-Stanley
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
US Government Office of the National Coordinator for Health
Information Technology (ONC)
Oracle
Pennsylvania State University
Red Hat
Stanford University
TeamF1, Inc.
The University of Alaska
The University of Michigan
The University of Pennsylvania
Past and present members of the Kerberos Team at MIT:
Danilo Almeida
Jeffrey Altman
Justin Anderson
Richard Basch
Mitch Berger
Jay Berkenbilt
Andrew Boardman
Bill Bryant
Steve Buckley
Joe Calzaretta
John Carr
Mark Colan
Don Davis
Sarah Day
Alexandra Ellwood
Carlos Garay
Dan Geer
Nancy Gilman
Matt Hancher
Thomas Hardjono
Sam Hartman
Paul Hill
Marc Horowitz
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
Benjamin Kaduk
Geoffrey King
Kevin Koch
John Kohl
HaoQi Li
Jonathan Lin
Peter Litwack
Scott McGuire
Steve Miller
Kevin Mitchell
Cliff Neuman
Paul Park
Ezra Peisach
Chris Provenzano
Ken Raeburn
Jon Rochlis
Jeff Schiller
Jen Selby
Robert Silk
Bill Sommerfeld
Jennifer Steiner
Ralph Swick
Brad Thompson
Harry Tsai
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
Taylor Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Ian Abbott
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
Pooja Anil
Jeffrey Arbuckle
Heinz-Ado Arnolds
Derek Atkins
Mark Bannister
David Bantz
Alex Baule
David Benjamin
Thomas Bernard
Adam Bernstein
Arlene Berry
Jeff Blaine
Toby Blake
Radoslav Bodo
Sumit Bose
Emmanuel Bouillon
Isaac Boukris
Philip Brown
Samuel Cabrero
Michael Calmer
Andrea Campi
Julien Chaffraix
Puran Chand
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
Seemant Choudhary
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
Ian Crowther
Arran Cudbard-Bell
Adam Dabrowski
Jeff D'Angelo
Nalin Dahyabhai
Mark Davies
Dennis Davis
Alex Dehnert
Mark Deneen
Günther Deschner
John Devitofranceschi
Marc Dionne
Roland Dowdeswell
Dorian Ducournau
Viktor Dukhovni
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
Gilles Espinasse
Ronni Feldt
Bill Fellows
JC Ferguson
Remi Ferrand
Paul Fertser
Fabiano Fidêncio
Frank Filz
William Fiveash
Jacques Florent
Ákos Frohner
Sebastian Galiano
Marcus Granado
Dylan Gray
Norm Green
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
Timo Gurr
Dominic Hargreaves
Robbie Harwood
John Hascall
Jakob Haufe
Matthieu Hautreux
Jochen Hein
Paul B. Henson
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
Ken Hornstein
Henry B. Hotz
Luke Howard
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
Sergey Ilinykh
Wyllys Ingersoll
Holger Isenberg
Spencer Jackson
Diogenes S. Jesus
Pavel Jindra
Brian Johannesmeyer
Joel Johnson
Lutz Justen
Alexander Karaivanov
Anders Kaseorg
Bar Katz
Zentaro Kavanagh
Mubashir Kazia
W. Trevor King
Patrik Kis
Martin Kittel
Thomas Klausner
Matthew Krupcale
Mikkel Kruse
Reinhard Kugler
Tomas Kuthan
Pierre Labastie
Andreas Ladanyi
Chris Leick
Volker Lendecke
Jan iankko Lieskovsky
Todd Lipcon
Oliver Loch
Chris Long
Kevin Longfellow
Frank Lonigro
Jon Looney
Nuno Lopes
Todd Lubin
Ryan Lynch
Glenn Machin
Roland Mainz
Sorin Manolache
Robert Marshall
Andrei Maslennikov
Michael Mattioli
Nathaniel McCallum
Greg McClement
Cameron Meadors
Alexey Melnikov
Franklyn Mendez
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Michael Morony
Zbysek Mraz
Edward Murrell
Nikos Nikoleris
Demi Obenour
Felipe Ortega
Michael Osipov
Andrej Ota
Dmitri Pal
Javier Palacios
Dilyan Palauzov
Tom Parker
Eric Pauly
Leonard Peirce
Ezra Peisach
Alejandro Perez
Zoran Pericic
W. Michael Petullo
Mark Phalan
Sharwan Ram
Brett Randall
Jonathan Reams
Jonathan Reed
Robert Relyea
Tony Reix
Martin Rex
Pat Riehecky
Jason Rogers
Matt Rogers
Nate Rosenblum
Solly Ross
Mike Roszkowski
Guillaume Rousse
Joshua Schaeffer
Jens Schleusener
Andreas Schneider
Paul Seyfert
Tom Shaw
Jim Shi
Jerry Shipman
Peter Shoults
Richard Silverman
Cel Skeggs
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
Ondřej Surý
Joe Travaglini
Sergei Trofimovich
Tim Uglow
Rathor Vipin
Denis Vlasenko
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
John Washington
Stef Walter
Xi Wang
Nehal J Wani
Kevin Wasserman
Margaret Wasserman
Marcus Watts
Andreas Wiese
Simon Wilkinson
Nicolas Williams
Ross Wilper
Augustin Wolf
Garrett Wollman
David Woodhouse
Tsu-Phong Wu
Xu Qiang
Neng Xue
Zhaomo Yang
Nickolai Zeldovich
Bean Zhang
Hanz van Zijst
Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.